Cybersecurity News

FDA, MITRE, MDIC Create Medical Device Threat Modeling Playbook

MITRE and the Medical Device Innovation Consortium (MDIC) partnered with the FDA to release a playbook for medical device threat modeling.

FDA, MITRE, MDIC Create Medical Device Threat Modeling Playbook

Source: Getty Images

By Jill McKeon

- MITRE and the Medical Device Innovation Consortium (MDIC) teamed up to release a playbook for medical device threat monitoring to help organizations strengthen the cybersecurity of medical devices.

The playbook incorporated insights from a series of threat modeling bootcamps for medical device manufacturers hosted by MITRE, MDIC and the Food and Drug Administration (FDA) in 2020 and 2021.

“Medical devices are increasingly complex and connected systems existing in complex connected ecosystems of healthcare delivery,” the playbook stated.

“Although standard lists of controls such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 and ANSI/AAMI/IEC 80001 can ensure some baseline security capabilities, they fail to address the myriad of ways that medical devices are used, interface with the healthcare ecosystem, and most important, how security risks could result in unacceptable safety issues.”

The playbook posited that a well-developed threat model can help organizations and manufacturers “document how a system is intended to function, justify trade-offs made in the design process, identify remaining threats to the system, and explain what mitigations are in place against them.”

The biggest challenge with threat modeling is that there is no one-size-fits-all approach, the playbook reasoned. Researchers provided three fictional medical devices to threat model, with strategies and concepts that can be applied to other systems.

One of the examples provided a threat model for a fictional Ankle Monitor Predictor of Stroke (AMPS) system, which is a home-use medical device for fictional stroke detection. The threat model first identified the AMPS system’s core use case, core technology, and capabilities.

Next, the model incorporated the “Four Questions Framework,” a set of questions developed by bootcamp lead trainer Adam Shostack to structure the threat modeling journey:

  • What are we working on?
  • What can go wrong?
  • What are we going to do about it?
  • Did we do a good job?

Identifying potential vulnerabilities and preparing for things to go wrong is a crucial step in threat modeling and can help organizations maintain patient safety and bounce back quickly in the face of security issues.

“There is no universal ‘best’ modeling technique. Instead, organizations may select what works best for their needs and the systems they are attempting to understand,” the playbook continued.

“It can also be helpful to remember that these modeling techniques all describe a common underlying system. Therefore, different modeling techniques may highlight different aspects of the system in unique ways that can be helpful when identifying threats.”

The playbook also outlined tips for knowing when to move on to the next step of the threat modeling process. Threat modeling developers should ask themselves whether someone unfamiliar with the system could learn how it works based on the current stage. And whether diagrams are clear and concise with minimal overlapping data flows.

Most importantly, the playbook stressed that there is no such thing as a perfect threat model. Threat models should be used as a rough estimation of risk and can serve as an exercise for organizations to assess the vulnerabilities associated with medical devices.

“Threat modeling identifies threats that could adversely impact the safety and security of a medical device. Threat modeling is an information-generating process that informs quality processes activities. Creating a threat model is not a paperwork exercise to check a compliance box,” the playbook concluded.

“Instead, the threat model informs decisions about design, development, testing, and postmarket activities. It serves to document those decisions for internal stakeholders, customers, and regulatory reviewers.”